SSL Protection

RedRules5 · 07-12-2004 11:04pm #1

Could someone enlighten me regarding the security offered by the yellow lock symbol. I understand it offers a secure connection when transfering data over the internet but does it also keep these details safe from any virus etc that might be installed on my computer?

aidan_walsh · 07-12-2004 11:06pm

No, SSL only covers the transmission of data from your machine to the server.

dahamsta · 07-12-2004 11:31pm

What DS said. In the old days it was pretty much guaranteed that a site using an SSL cert signed by a trusted CA (Certification Authority) wouldn't be shoving any crap onto your rig, because: a) they were pretty damned expensive; and b) the authentication procedure was pretty tough[1]. Those days are gone though, since there's a load of CA's out there supplying "chained certs"[2] with a much less secure authentication procedure, and consequently a much lower price. So not only should you be watching out for viruses and diallers and the like, you should be paying attention to the basics when you're surfing an SSL protected site. That is, don't take it for granted that it's a "secure" site just cos there's a pretty lock in the corner of your browser.

Thus ends the lecture for today.

adam

[1] I'll be expecting a around of applause for getting three occurences of the word "pretty" into a single sentence.
[2] A certificate signed by a key that's in turn signed by another CA's key. Only the key at the top of the heap is stored in the browser, hence the "chain".

hmmm · 09-12-2004 10:41pm

SSL is a good example of security that is very marketable but addresses a problem that no-one really has. Don't jump up and down with a knee jerk splutter, give me one example of a credit card stolen in transit and I'll match you with millions of credit cards stolen from whereever they are stored once they reach the vendor site. So endeth rant.

dahamsta · 09-12-2004 11:34pm

Isn't it possible a whole lot more CC details would be stolen if 99% of sites didn't use SSL, because crackers would have a much larger incentive to compromise networks to install sniffers?

adam

hmmm · 09-12-2004 11:49pm

dahamsta wrote:

Isn't it possible a whole lot more CC details would be stolen if 99% of sites didn't use SSL, because crackers would have a much larger incentive to compromise networks to install sniffers?

Why go to all that bother when it's easier to steal through a bit of sql injection, or buying it off whichever employee has stolen the credit card database this month. There's a couple of security technologies in use that imho are marketing fluff rather than providing security where it's most needed. Ultimately it does a disservice to consumers when you see things like "Q. Is our site secure? A. Yes! We utilise SSL"

scojones · 11-12-2004 12:10pm

All that's required is that some small site being hosted on the same machine with a dodgy cgi script that'll let a script kiddie do meh.cgi?file=/bin/ls| (execute commands i.e to spawn a shell and use some 0day local root exploit for the OS. No matter if your site uses SSL or not, it's only as safe as the weakest link on the hosting machine)

dahamsta · 11-12-2004 2:06pm

hmmm wrote:

Why go to all that bother

The more the merrier. And compromising a large proportion of Windows servers is hardly "bother".

Groucho Marx: "Why, a child of five could do it. Bring me a child of five!"

adam

SSL Protection

Comments